OpenBSD Journal

amd64 Kernel W^X

Contributed by tbert on from the Windows ^ X11 dept.

Theo de Raadt (deraadt@) announced that amd64 kernels now have W^X memory protection in the kernel:

Mike Larkin has been slow at informing the world, despite my prodding.
Probably started working on something else cool...
So.. I am going to take it upon myself to sing praise to him, and
hopefully he'll let me off lightly!

Over the last two months Mike modified the amd64 kernel to follow the
W^X principles.  It started as a humble exercise to fix the .rodata
segment, and kind of went crazy.  As a result, no part of the kernel
address space is writeable and executable simultaneously.  At least
that is the idea, modulo mistakes.  Final attention to detail (which
some of you experienced in buggy drafts in snapshots) was to make the
MP and ACPI trampolines follow W^X, furthermore they are unmapped when
not required.

Some further amd64-specific page attribute improvements snuck in.  Too
complicated to describe simply.

I followed along for the ride and improved the situation on other
architectures, mostly MI improvements so the right requests would be
made to the MD layers.  Final picture is many architectures were
improved, but amd64 and sparc64 look the best due to MMU features
available to service the W^X model.  The entire safety model is also
improved by a limited form of kernel ASLR (the code segment does not
move around yet, but data and page table ASLR is fairly good.  There
are some known pages, but hopefully fewer in the future).

To which Mike Larkin (mlarkin@) replied:

Thanks Theo for the encouragement along the way.

It did indeed start with .rodata, but then we ended up fixing a ton more;
probably a dozen different places needed tightening up.

i386 is next, but that requires a PAE paging model and compatible CPU.
I've got the PAE mode booting but it's not ready for prime time yet.

Thanks to Mike for this work! Hopefully we'll see this in more arches soon!

(Comments are closed)


Comments
  1. By Renaud Allard (renaud) renaud@allard.it on

    Does this mean we might get 2 flavors of kernels for i386, one which is PAE enabled and one which is not?

    Comments
    1. By journeysquid (Tor) on http://www.openbsd.org/donations.html

      > Does this mean we might get 2 flavors of kernels for i386, one which is PAE enabled and one which is not?

      Per the extended discussion on the matter (http://marc.info/?t=142120800900002&r=1&w=2), yes, that might be the case. But pre-PAE will remain supported.

  2. By Anonymous Coward (81.83.83.198) on

    nice! thank you :)

Credits

Copyright © - Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]